COSO: From Cube to Helix, What Does This Mean For Organizations?

The 2017 COSO Enterprise Risk Management Framework – Integrating with Strategy and Performance (2017 ERM Framework), released on September 6, 2017 takes a forward-looking view of Enterprise Risk Management (ERM). It establishes a seat at the executive table for risk professionals by highlighting the importance of considering risk in strategy-setting processes and performance management throughout the company. The change in graphics from the well-known 2004 Cube to the 2017 Helix reflects an evolution: seeing ERM as a set of tools for value preservation to utilizing ERM as a facilitator for value creation.

The impetus for the new ERM Framework is that the environment in which financial executives operate has evolved. The complexity of risks has changed, new risks have emerged and management and boards have grown in their awareness and oversight of ERM. The 2017 ERM Framework highlights the need for organizations to think more strategically about how to manage volatility, complexity and ambiguity. Further, studies have shown that integrating a sound ERM Framework accelerates revenue growth and enhances performance.

As companies think about how to move forward with their ERM programs, a good first step is to read the Executive Summary to the 2017 ERM Framework, which covers its key elements. The summary explains, as visualized by the helix, that the ERM Framework is a set of principles organized into five interrelated components. The principals, twenty in all, support each of the five components and cover everything from governance to monitoring. Adhering to the principals can provide management and board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives.
Robert B. Hirth Jr., COSO Chair says that COSO went through an extensive draft exposure, obtaining feedback through four channels that included surveys, letters, meetings and social media. From reducing the density of the ERM Framework to enhancing linkage to strategy, feedback submitted were all evaluated through a structured review process. As a takeaway, COSO will be publishing a Compendium of Examples by the summer of 2018.

Deon Minnaar, Partner, KPMG, points out that the 2017 ERM Framework takes a forward look at “risk to strategy” and “risk of strategy.” He shared that companies are good at assessing “risk to strategy” but there are often opportunities within “risk of strategy.” i.e. is it the right strategy?

According to Minnaar, “one size fits one.” In other words, no two companies are alike and the risk program needs to understand how best to achieve integration. To be successful, Minnaar says, “organizations need to align their strategy, governance structure and culture and design a deliberate risk program that will integrate into the management and performance processes. Risk professionals should not be defining the business cycle but complimenting the business cycle. The ideal would be that organizations integrate their risk framework as they work through their strategies and align processes. You also don’t need to over engineer your ERM program to be effective. Although this updated Framework was developed to assist companies in their risk management programs, you don’t need to be advanced in every principle to have a very effective ERM program.It is important that you perform your own analysis and ensure this Framework fits your organization and culture. Implementing this ERM Framework is not a project, but a program that has to be adopted.”

The Strategy, Business Objectives, and Performance graphic below provides context of mission, vision, core values, and as a driver of an entity’s overall direction and performance.
With the new 2017 ERM Framework in place, what should the boards, CEOs, CFOs, CROs and other executives be thinking about? Hirth believes that companies should be “re-evaluating their risk management program to ensure they are obtaining the maximum value.” Hirth asks, “Have you always met your targets? If so, your company may already be applying many of the components within the 2017 ERM Framework. If not, investing time in the 2017 ERM Framework and its Principles may help your company do some things better.” The Framework should help companies be more proactive and begin to think longer-term about the potential changes that could lie ahead. Risks will still exist, but focusing on the key components and twenty principles of the 2017 ERM Framework will help to better respond to some of these risks.

With regards to strategy or a starting point of implementation, the COSO Chair suggests that companies should consider performing a diagnostic comparison of all twenty principles against what they are already doing. This comparison will help to analyze what principles are present and functioning vs. where the focus and opportunities should be. Hirth stated that “regardless of where a company starts, ROI can be huge and immediate.” Understanding the intersection between the 2017 ERM Framework and the 2013 Internal Control – Integrated Framework is important. The two Frameworks are separate but complimentary and have a point of intersection at Principle 13, Risk Response. Hirth notes that “to have effective risk management, you have to have effective internal controls and vice versa. Essentially, if you have an effective internal control environment you should then be confident in your processes, systems, and people so more time can be devoted to ERM and optimizing strategy and performance.”

There are many benefits of implementing this forward-looking 2017 ERM Framework. Mr. Frank Martens, PwC, explains two benefits, 1) integrating risk and strategy which will provide greater value in understanding current and future opportunities and 2) minimizing surprises and losses that may happen on a day to day basis of operations. Organizations need to ensure their risk management efforts recognize which model (1 or 2) they are in and the related impact on their strategy. Companies face different levels of risk depending on their areas of focus and what their involved in, but if you can manage these risks proactively and address them within the strategy this will significantly help to circumvent issues from occurring.

Although ERM provides important benefits, limitations still exist. Communication across the organization is important to ensure an effective ERM Program. The 2017 ERM Framework will not prevent unexpected events from happening but it will prepare organizations to address them when they do arise. The strategy created should be agile and able to quickly change when needed. The 2017 COSO ERM Framework will help companies effectively manage risk, not only for today, but into the future as well.

Pratima Ramroop is Vice President - SOX Compliance and Danielle Simione is Director, SOX Advisory and Reporting. Both are with American Express and members of the Committee on Governance, Risk and Compliance (CGRC).

Advancing success through information, community and advocacy since 1931.

Financial Executives International connects senior-level financial executives by defining the profession, exchanging ideas about best practices, educating members and others and working with the government to improve the general economy.